Complete Asset Tag List

Document created by Colton Pepper Employee on Apr 23, 2020Last modified by Colton Pepper Employee on Apr 23, 2020
Version 2Show Document
  • View in full screen mode

Note: This document is associated with Asset Tags: Are You Getting The Best Value? 

 

Complete Asset Tag List:

As stated previously, I highly recommend that all asset tags begin with it's associated preface (ie: "OS:", "Type:", "AWS:", "SW:", "Reg:", etc.) These are vital for many reason including creating metrics in dashboards by filtering results based on your type of asset tags.

 

Asset Informational Tags:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag NameRule EngineLogicAsset Tag Description/Note
Agentless Tracking UsedVuln(QID) ExistQID= 45179
Agentless Tracking ErrorsVuln(QID) ExistQID= 45180
Asset In Multiple GroupsGroovy Scriptlet
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() > 1;
Asset In One GroupGroovy Scriptlet
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() == 1;
DHCP Enabled NewAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>45099</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>EnableDHCP = 1</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Firewall DetectedVuln(QID) ExistQID= 34011Can be used in conjunction with internal asset group asset tags to determine if you are passing through any firewalls.
Live AssetAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70004</QID>
<QID>82040</QID>
<QID>12230</QID>
<QID>90399</QID>
<QID>70038</QID>
<QID>105296</QID>
<QID>105297</QID>
</QID_LIST>
</DETECTION>
<LAST_SCAN_DATE>
<SEARCH_TYPE>WITHIN</SEARCH_TYPE>
<DAYS>1</DAYS>
</LAST_SCAN_DATE>
</TAG_CRITERIA>
Tags assets that have one or more of the QIDs listed and also scanned within the last "___" days. You will need to change the value for "DAYS" to match your scanning cycle. For example, if the longest time between scans on a single asset is 14 days, then I would suggest changing the value to 15 days. A scan means any type of vulnerability scan or a Light Inventory scan. MAP scans do not apply asset tags. This tag can be used when targeting assets for scanning. Run a Light Inventory Scan on group of assets to have this tag 
Multiple IPsGroovy Scriptlet
// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Set minimum number of lines to require.
lineMinimum = 2
// Check QID results.
results = asset.resultsForQid(45099L)

// return false if the asset doesn't have QID 45099
if(results == null) return false;

// Count number of lines.
int num = (results =~ /(?m)$/).size()
// Some results do not start with Interface details.
if(results.startsWith("#table cols")) num--
// Test.
if(num >= lineMinimum)
// QID results has at least lineMinimum.
return true;
// QID results has less than lineMinimum.
return false;
Tags assets with multiple IPs. This is accomplished by querying an asset to see if QID 45099 ("Interface Names and Assigned IP Address Enumerated from Registry") is found on a host. It then counts the number of lines found. If it exceeds the minimum of 2 lines, then this asset has more than 1 NIC/IP and therefore the asset tag is applied.
New AssetAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<FIRST_FOUND_DATE>
<SEARCH_TYPE>WITHIN</SEARCH_TYPE>
<DAYS>7</DAYS>
</FIRST_FOUND_DATE>
</TAG_CRITERIA>
Tags assets that were first found within the last 7 days. Another option is to use a groovy scriptlet but it doesn't include assets that were created via the Qualys AWS Connector.
No Asset GroupGroovy Sciptlet
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() < 1;
Tags assets that are not assigned to any asset group.
No HostnameGroovy Scriptlet
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getHostName()==null || asset.getHostName().trim().length()<=0;
Tags assets where a hostname was not detected.
No NetBIOS NameGroovy Scriptlet

 

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getNetbiosName()==null || asset.getNetbiosName().trim().length()<=0;
Tags assets that do not have a NetBIOS name.
No OS DetectedGroovy Scriptlet
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getOperatingSystem()==null || asset.getOperatingSystem().trim().length()<=0;
Tags assets that do not have an operating system
Possible Scan InterferenceVuln(QID) ExistQID= 42432

This tag will identify assets where during a PCI scan, the scanner detected that an Active Protection System (IPS, WAF, Firewall, NGF, etc.) is blocking, filtering, dropping or modifying network packets from a PCI Certified Scan.


If this Tag is present on any asset that is targeted for PCI scans, you need to investigate what the issue may be associated with the host.

 

Check the results field of this QID on a host for more information. Typically, the results field will say where it noticed the potential interference.

Scan Time (>30m)Groovy Scriptlet
// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 30
host_scan_time = asset.resultsForQid(45038L);
// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);
Tags assets where the total scan time exceeds 30 minutes. This timeframe can be modified by changing the numeric value in Line 4.
Stale AssetAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<LAST_SCAN_DATE>
<SEARCH_TYPE>NOT_WITHIN</SEARCH_TYPE>
<DAYS>90</DAYS>
</LAST_SCAN_DATE>
<FIRST_FOUND_DATE>
<SEARCH_TYPE>NOT_WITHIN</SEARCH_TYPE>
<DAYS>90</DAYS>
</FIRST_FOUND_DATE>
</TAG_CRITERIA>

This tag is assigned to assets that have not been scanned within the last 90 days and that have not be created (or first found) within the last 90 days. This tag is great for identifying assets that need to be purged. The values for "DAYS" should be adjusted to meet your requirements.

 

The reason why I've included the "First Found Date" is because of AWS assets that are created using the AWS Connectors. They are created within Qualys once they're spun up and the Qualys Connector API retrieves an inventory of an account from AWS. Without the "First Found Date" criteria, any new asset created in Qualys through the AWS Connector would be marked as a "Stale Asset" since it has never been scanned before.

 

Sticky Keys EnabledVuln(QID) ExistQID= 124403
Web Server Stopped RespondingVuln(QID) ExistQID= 86476

This QID is present on any host where during a scan, the web server stopped responding to 3 consecutive connection attempts and/or more than 3 consecutive HTTP / HTTPS requests.

 

This is a great QID to identify assets that may be falling victim to scan intensity settings within the Option Profile of a scan. Assets with this QID may require a tuned Option Profile that has the parallel HTTP processes and packet burst lowered to a more suitable level that the web server can handle.

 

Check the QID results field on the asset for more information around what occurred during the scan.

 

Asset Type:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag NameRule EngineLogicAsset Tag Description/Note
Type: Cisco ASAOperating System Regular Expression

cisco\s(asa|adaptive\ssecurity\sappliance)

Type: Cisco PIX

Operating System Regular Expression

cisco\spix

Type: Cisco SwitchOperating System Regular Expression

(cisco\sswitch)|(cisco\snexus\sswitch)

Type: Cisco ControllerOperating System Regular Expression

cisco\scontroller

This RegEx may need tweaking. I didn't have a great sample size for this OS.
Type: Cisco IP PhoneOperating System Regular Expression

cisco\sip\sphone

This RegEx may need tweaking. I didn't have a great sample size for this OS.
Type: Domain ControllerVuln(QID) Exist

QID= 90036

Requires Windows Authentication
Type: Meraki Device UpdatedAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>12230</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>cisco-meraki.png</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

Updated

I recently realized that the logic for this tag on line 9 was incorrect and has been updated. If you are using this tag, please verify that the logic for your tag is updated with the right search term on line #9.

Type: Mobile DeviceOperating System Regular Expressionapple\sios|.*android.*Stay tuned on this tagging logic. Regular updates will be made to this tag as I am able to collect more OS information on mobile devices.
Type: NCR ATM Machine NewAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>45304</QID>
<QID>90235</QID>
<QID>90074</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>Unified Agent</SEARCH_TERM>
<SEARCH_TERM>NCR Remote Agent</SEARCH_TERM>
<SEARCH_TERM>ImageMark Passport ATM Agent</SEARCH_TERM>
<SEARCH_TERM>NCR_START</SEARCH_TERM>
<SEARCH_TERM>NCR.APTRA.CollectorProxy</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

This tag is for customers who are in the banking industry who specifically have NCR ATM machines in their environment.

 

The QIDs being used in this tag requires successful authentication. Without successful authentication, this tag will not work.

 

A VERY special thank you goes out to a customer, you know who you are, for letting me assist with their specific use case. I will work on creating additional tags for these and other ATM vendors as the opportunities come up.

Type: Print ServerOperating System Regular Expression.*print\sserver.*Tags many different types of print servers
Type: PrinterOperating System Regular Expression.*printer.*

Tags many different types of printers

Type: ServerOperating System Regular Expression.*Windows (Server|20\d\d).*|Linux|Red Hat Enterprise|Server.*Tags assets where the operating system was identified as a server of some kind, regardless of "flavor" (Windows or Linux). This also captures print servers as well.
Type: vSphere ServerAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<OPEN_PORTS>
<PORT>443</PORT>
</OPEN_PORTS>
<DETECTION>
<QID_LIST>
<QID>12230</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>vsphere</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Type: WorkstationOperating System Regular Expression.*Windows((\s10.*|\s.*\/10)|\s7|\D\D7|.*\/7|\s8|\s.*\/8|\s2000|\sce|\snt|\svista|.*\/vista|\s95|((\sxp)|(.*\/XP)))|mac(os|\sos)

 

Authentication Related Tags

Authentication Status:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag NameRule EngineLogicAsset Tag Description/Note
Authentication Successful UpdatedAsset Search Updated
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38307</QID>
<QID>70053</QID>
</QID_LIST>
</DETECTION>
</TAG_CRITERIA>

UPDATED: I've updated the logic from using the Groovy Scriptlet rule engine to the Asset Search rule engine.

 

Tag is used for Windows & UNIX authentication

Authentication Failed UpdatedAsset Search Updated
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>105053</QID>
<QID>105015</QID>
</QID_LIST>
</DETECTION>
</TAG_CRITERIA>

UPDATED: I've updated the logic from using the Groovy Scriptlet rule engine to the Asset Search rule engine.

 

Tag is used for Windows & UNIX authentication

Authentication Not Attempted UpdatedAsset Search Updated
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>105296</QID>
<QID>105297</QID>
</QID_LIST>
</DETECTION>
</TAG_CRITERIA>
UPDATED: I've updated the logic from using the Groovy Scriptlet rule engine to the Asset Search rule engine.
NULL Session AllowedAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70028</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>Authentication_Scheme NULL_session</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
SNMP Authentication SuccessVuln(QID) ExistQID= 78049
SNMP Authentication FailedVuln(QID) ExistQID= 105192
SNMP Authentication Not AttemptedVuln(QID) ExistQID= 105298
Authentication Successful (username) UpdatedAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38307</QID>
<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>User_Name useraccountnamehere</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

UPDATED: I've added the QID 38307 on line #5 so that those who are using this, don't have to modify the QID if they're looking for successful auth between a Windows system or a Unix system.

 

Tags assets that have been successfully authenticated to during a scan. Change the value "useraccountnamehere" in Line #10 to the username you use.


Authentication Details:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag NameRule EngineLogicAsset Tag Description/Note
Account Locked Out (username)Asset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>105052</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>username</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

This asset tag only work for Windows assets.

 

Tags assets where the username used during the scan was found to be locked out. Change the value in Line #9 to the username you use.

AR: [authentication_record_name]Asset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38307</QID>
<QID>70053</QID>
<QID>105053</QID>
<QID>105015</QID>
<QID>105296</QID>
<QID>105297</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>AUTHENTICATION_RECORD_NAME</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

Tags an asset with the name of the authentication record used during the scan. Please note that you will need to do some homework for this tag. The QID's in lines 5-10 are fine but you will need to change line 14 to the correct name used in the results field of QID's (lines 5-10).

 

Please note: The results field will list the authentication record name but will substitute spaces with underscores "_". Any special characters will be escaped using an underscore "_" as well. For example:

Record name: "Windows Auth_Record"

will read as "Windows_Auth__Record".

Auth Scheme (Public Key)Asset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38307</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>Authentication_Scheme publickey</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Used to tag assets where the authentication record used is using the public key/certificate as a means to authenticate into the system as apposed to a username/password. The QID being used is the "Unix Authentication Method" which when present, indicates that successful Unix authentication has occurred.
Unix Auth Not Using SudoAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38307</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>Using_sudo No</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Tags assets where successful authentication was performed but the authentication record is not using Sudo and will likely effect your scan results.

 

Operating Systems:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag NameRule EngineLogicAsset Tag Description/Note
OS: AIX 5.xOperating System Regular Expressionaix\s5\DEOL Operating System!

OS: AIX 6.x

Operating System Regular Expressionaix\s6\DEOL Operating System!
OS: AIX 7.xOperating System Regular Expressionaix\s7\D
OS: AIX x.xOperating System Regular Expression.*aix.*
OS: Amazon LinuxOperating System Regular Expressionamazon\slinux
OS: Apple AirportOperating System Regular Expressionapple\sairport
OS: Apple iOSOperating System Regular Expressionapple\sios
OS: AndroidOperating System Regular Expression.*android.*
OS: CentOS 4.xOperating System Regular Expressioncentos\s(linux\s4\D|4\D)
OS: CentOS 5.xOperating System Regular Expressioncentos\s(linux\s5\D|5\D)
OS: CentOS 6.xOperating System Regular Expressioncentos\s(linux\s6\D|6\D)
OS: CentOS 7.xOperating System Regular Expressioncentos\s(linux\s7\D|7\D)
OS: CentOS x.xOperating System Regular Expression

.*centos.*

OS: Cisco ASAOperating System Regular Expression

cisco\s(asa|adaptive\ssecurity\sappliance)

Copied from "Asset Type" section.
OS: Cisco ControllerOperating System Regular Expression

cisco\scontroller

Copied from "Asset Type" section.
OS: Cisco IOS 11.xOperating System Regular Expression

cisco\sios(\s11|\sversion\s11)

OS: Cisco IOS 12.xOperating System Regular Expression

cisco\sios(\s12|\sversion\s12)

OS: Cisco IOS 13.xOperating System Regular Expression

cisco\sios(\s13|\sversion\s13)

OS: Cisco IOS 14.xOperating System Regular Expression

cisco\sios(\s14|\sversion\s14)

OS: Cisco IOS 15.xOperating System Regular Expression

cisco\sios(\s15|\sversion\s15)

OS: Cisco IOS 16.xOperating System Regular Expressioncisco\sios(\s16|\sversion\s16)Cisco IOS 16 isn't out as of 6/27/18 but it's here for when it does!
OS: Cisco IOS x.xOperating System Regular Expression

cisco\sios

Copied from "Asset Type" section.
OS: Cisco IP PhoneOperating System Regular Expression

cisco\sip\sphone

Copied from "Asset Type" section.
OS: Cisco PIXOperating System Regular Expression

cisco\spix

Copied from "Asset Type" section.
OS: Cisco SwitchOperating System Regular Expression

(cisco\sswitch)|(cisco\snexus\sswitch)

Copied from "Asset Type" section.
OS: Dell (DRAC)Operating System Regular Expression(dell\sremote\saccess\scontroller)|(drac|idrac)
OS: Fedora xxOperating System Regular Expressionfedora\s##If you know which versions of Fedora you have in your environment, change the "#" in the RegEx and the "xx" in the tag name to the versions you have. Create one for each version.
OS: FedoraOperating System Regular Expression.*fedora.*
OS: FreeBSDOperating System Regular Expression.*freebsd.*
OS: HP iLOOperating System Regular Expressionhp\s(ilo|rilo.*)Includes tagging for HP RiLOE
OS: Linux 2.xOperating System Regular Expressionlinux\s2\D
OS: Linux 3.xOperating System Regular Expressionlinux\s3\D
OS: Linux x.xOperating System Regular Expressionlinux\s\d\D

Captures all Linux "1." - "9." Such as:

Linux 2.4, Linux 3.1, etc.

OS: MacOSOperating System Regular Expressionmacos|mac\sos
OS: MacOS XOperating System Regular Expressionmacos\sx|mac\sos\sx
OS: Oracle Ent Linux 4.xOperating System Regular Expressionoracle\senterprise\slinux\s4\D
OS: Oracle Ent Linux 5.xOperating System Regular Expressionoracle\senterprise\slinux\s5\D
OS: Oracle Ent Linux 6.xOperating System Regular Expressionoracle\senterprise\slinux\s6\D
OS: Oracle Ent Linux 7.xOperating System Regular Expressionoracle\senterprise\slinux\s7\D
OS: Oracle Ent Linux x.xOperating System Regular Expressionoracle\senterprise\slinux
OS: RHEL Server 5.xOperating System Regular Expressionred\shat\senterprise\slinux\sserver\s5.*
OS: RHEL Server 6.xOperating System Regular Expressionred\shat\senterprise\slinux\sserver\s6.*
OS: RHEL Server 7.xOperating System Regular Expressionred\shat\senterprise\slinux\sserver\s7.*
OS: RHEL Server x.xOperating System Regular Expressionred\shat\senterprise\slinux\sserver\s(5|6|7).*Tags all versions of RHEL
OS: SolarisOperating System Regular Expression.*solaris.*
OS: Ubuntu 14Operating System Regular Expressionubuntu\s(14\D|linux\s14\D)
OS: Ubuntu 15Operating System Regular Expressionubuntu\s(15\D|linux\s15\D)
OS: Ubuntu 16Operating System Regular Expressionubuntu\s(16\D|linux\s16\D)
OS: Ubuntu 17Operating System Regular Expressionubuntu\s(17\D|linux\s17\D)
OS: Ubuntu xxOperating System Regular Expression.*ubuntu.*
OS: UNIX/Linux (ALL)Operating System Regular Expression(CentOS[\s\S])|(Linux\s\d\D[\s\S])|(Red Hat Enterprise Linux Server\s[\s\S])|(Solaris[\s\S])|(SuSE[\s\S])|(Ubuntu[\s\S])|(UNIX[\s\S])|(amazon\slinux)Tags all UNIX and Linux OS's.
OS: Windows 10Operating System Regular Expression.*Windows\s10.*
OS: Windows 7Operating System Regular Expression.*windows(\s7|\D\D7|.*\/7)
OS: Windows 7 EmbeddedOperating System Regular Expressionwindows\s7\sembedded
OS: Windows 8Operating System Regular Expressionwindows(\s8|\s.*\/8)
OS: Windows 8 Embedded Industry EnterpriseOperating System Regular Expressionwindows\sembedded\s8.*\sindustry\senterprise
OS: Windows 8 Embedded Industry ProOperating System Regular Expressionwindows\sembedded\s8.*\sindustry\spro
OS: Windows 95Operating System Regular Expressionwindows\s95
OS: Windows 2000Operating System Regular Expressionwindows\s2000
OS: Windows CEOperating System Regular Expressionwindows\sce
OS: Windows Embedded StandardOperating System Regular Expressionwindows\sembedded\sstandard
OS: Windows NTOperating System Regular Expressionwindows(\snt)
OS: Windows Server (ALL)Operating System Regular Expression.*windows\s.*(server|20[0-1][0-9]).*

Tags all versions of Windows Servers. Now includes tagging for Windows server OS's that are less common but still seen by Qualys such as "Windows Storage Server 20xx" and "Windows Web Server 20xx".

OS: Windows Server 2003Operating System Regular Expression

Windows\s.*(2003)((?!\/).)*

OS: Windows Server 2008Operating System Regular Expressionwindows\s(2008|server\s2008|storage\sserver\s2008|web\sserver\s2008|.*\/2008)|(windows.*storage\sserver\s2008)It sure is ugly but I've tested it against 45 different variations of Windows Server 2008 OS's and it captured all of them!
OS: Windows Server 2012Operating System Regular Expression

(windows\sserver\s2012)|(windows\s2012)|(windows\sstorage\sserver\s2012)|(windows.*\/2012)

OS: Windows Server 2016Operating System Regular Expression

(windows\s2016)|(windows\sserver\s2016)|(windows.*\/2016)

OS: Windows Server 2019Operating System Regular Expression

COMING SOON!

OS: Windows VistaOperating System Regular Expression

windows\s(vista|.*\/vista)

OS: Windows WorkstationOperating System Regular Expression

.*Windows((\s10.*|\s.*\/10)|\s7|\D\D7|.*\/7|\s8|\s.*\/8|\s2000|\sce|\snt|\svista|.*\/vista|\s95|((\sxp)|(.*\/XP)))

Included logic to tag Windows 95 assets

OS: Windows XPOperating System Regular Expression(windows\sxp)|(windows.*\/XP)
OS: vCenter Server Appliance 5.xOperating System Regular Expressionvmware\svcenter\sserver\sappliance\s5\D
OS: vCenter Server Appliance 6.xOperating System Regular Expressionvmware\svcenter\sserver\sappliance\s6\D
OS: VMware ESX 3.xOperating System Regular Expressionvmware\sesx\s3\D
OS: VMware ESX 4.xOperating System Regular Expressionvmware\sesx\s4\D
OS: VMware ESX x.xOperating System Regular Expressionvmware\sesx\s
OS: VMware ESXi 3.xOperating System Regular Expressionvmware\sesxi\s(3\D|server\s3\D)
OS: VMware ESXi 4.xOperating System Regular Expressionvmware\sesxi\s(4\D|server\s4\D)
OS: VMware ESXi 5.xOperating System Regular Expressionvmware\sesxi\s(5\D|server\s5\D)
OS: VMware ESXi 6.xOperating System Regular Expressionvmware\sesxi\s(6\D|server\s6\D)
OS: VMware ESXi x.xOperating System Regular Expressionvmware\sesxi\s

*Corrected a typo in the logic.

(10/9/19)



Windows Registry Asset Tags:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

 

Place these tags within a new parent tag titled "Reg: Windows Registry Tags"

 

Asset Tag NameRule EngineLogicAsset Tag Description/Note
Reg: Critical Registry Access DeniedAsset Search

 

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>90195</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>HKCR\Installer\Patches</SEARCH_TERM>
<SEARCH_TERM>HKCR\Installer\Products</SEARCH_TERM>
<SEARCH_TERM>HKLM\SOFTWARE</SEARCH_TERM>
<SEARCH_TERM>HKLM\SYSTEM</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

Tags assets where the two critical registry paths are inaccessible via network-based vulnerability scans. The presence of this asset tag indicates that your authentication record used on the target host has insufficient access and needs to be investigated.

Reg: Hardware Info Not Accessible

Asset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>90195</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>HKLM\HARDWARE</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

This tag identifies assets where the credentials provided for vulnerability scanning, was unable to access the registry path that contains system information related to its hardware. BIOS information, processor information, system manufacturer and model/serial number are just a few things found here. This isn't necessarily critical but depending on your own use cases, this may be important information for you to have.

Reg: Installed Patches Not AccessibleAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>90195</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>HKCR\Installer\Patches</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Identifies assets where the authentication record used does not have the access required to view the installed patches. Since Qualys in unable to check this registry for what patches are installed, it's very likely that some vulnerabilities are not being identified. As a result, vulnerability detections will be impacted! 
Reg: Installed SW Not AccessibleAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>90195</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>HKLM\SOFTWARE</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Like the previous tag, this is one location where Qualys looks for installed software. This registry location is  what's used to help populate the "Installed Software" tab for a host within AssetView. If this tag has been applied to a host, the vulnerability detections are likely less than the number of vulnerabilities it actually has. This is because Qualys is unable to view what software is installed as well as what versions the software is running on the target host. Arguably, every application (software) installed on a computer exposes the system to any number of vulnerabilities. If access to this registry location is being blocked, Qualys is unable to detect vulnerabilities these applications expose.
Reg: System Info Not AccessibleAsset Search
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>90195</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>HKLM\SYSTEM</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>
Many important system details reside within the HKEY_LOCAL_MACHINE (HKLM) System location. This asset tag is a generic tag that tags any assets where access to the "HKLM\System" location was denied. Probably one of the most important location within the System location is "CurrentControlSet" (HKLM\System\CurrentControlSet). This is a goldmine of system information! Within "Control", information such as system name, network information, power settings (I found my power button configuration in here), and so on, can be found here. Have a look for yourself!
1 person found this helpful

Attachments

    Outcomes